How to lure 2 customers from competitors, and justify in front of a thousand?

Recently, many services and modules for online stores have become popular, these are callbacks, chat rooms, buttons, and various counters and analytics.

Site owners are happy to install them on their website and are not aware of what they are given access to “such” services and with what consequences in the end they will be forced to cope.
')
The story of the exposure of one of the callback services under the cut.


One of the callback services, placing the js code for your module on hundreds of different sites, in order to increase the number of clients, added a unique feature: the definition of a Vkontakte user profile that calls to your site.
The opportunity is really interesting, and many online stores would be interesting. Our clients also began to contact us with a request to make a similar opportunity. However, we understand all the responsibility to our customers, so we check every decision.
And we decided to figure out what a tricky feature it is and why it is not provided by “real” large companies? For example, Yandex metric or Google anatilica, because for them such an opportunity would be very relevant. And there is no doubt that they have the opportunity to implement such a function.

First of all, we did not find in the official api / documentation on Vkontakte such an opportunity, namely, obtaining user profiles that access a third-party site.

We wrote in the support of the company Vkontakte, and received the following answer:



As can be seen from the screenshot, Vkontakte is categorically against this service.
The opinion of official representatives turned out to be negative, it became obvious that it was forbidden to add such functionality, and therefore it was impossible.

How does it work and why is it bad?

Even on Habrjabr there was an article about social smarting , and in other sources, too, but if it is short and without going into details, it works as follows:
The user enters your site, the malicious code makes an invisible layer and emulates a click on the page of your site, as if the visitor of your site did it, after which the script receives the data.

Those on your site runs a certain module, draws a window invisible to the user, makes a click on behalf of the user in this window, naturally without his knowledge, and receives data about his Vkontakte profile. Thus, the user does not even know that he went to Vkontakte, made clicks and so on. Agree that this is at least not correct for your website visitors, because you can go further: emulate like, send private messages automatically without the knowledge of your website visitor, and so on.

How this feature is positioned for users of the service.

Alas, about exactly how this feature works, the owner of the callback service is beautifully silent. I just wrote: we have a new opportunity - and the owners of online stores, without knowing the details, actually became his accomplices, thereby presenting their sites as a platform on which its malicious code is executed.

The use of such frauds is a matter of time. Not much time has passed, and as a result, VKontakte blocked all the transitions to the pages of this callback service for users of social networks. And antiviruses made this resource as phishing into the blacklist - those engaged in fraudulent activities without the knowledge of users.









Pressure on trust
Now the owner of the “dark” callback is happy and misleading antiviruses trying to remove their site from their bases. Not caring about their customers or not realizing that their actions to place malicious code on other people's websites undermine their authority. He thinks only about his service and forgets that his malicious code is on many sites that can also get into the anti-virus ban and thus risk losing their business.





At the moment, the owner of the service has removed the malicious code from the module and contacted representatives of the antiviruses, so some of them removed it from the blacklist.



But what will happen next? If such an Internet service, doesn’t say how this or that functionality works, doesn’t talk about the risks of shifting online store owners, continues to write in open sources about its “fluffiness” after exposing, blaming everything on competitive wars, is it worth trusting such a service? After all, once done, he can again activate the “hidden opportunity on the sites of his clients,” without telling them about it.

Dear site owners and services - “do not use dubious services, do not fall for these tricks!”

After all, if a malicious code is launched on your site, then there is always an opportunity to quickly get into the blacklist, and when visiting your site you will see:


or

or


Be attentive! Work with stable companies that have at least an office :)



Respectfully,
Callback Service: Pozvonim.com

PS: This article made an impression on the owner of Kollbekkiller, and he officially admitted his guilt:





We hope, in the near future, a new malicious code in this service or others will not appear.